How is this potential replacement for Labour’s ID Card system being developed? It is ostensibly part of the Coalition’s cost cutting programme. Their ultimate aim is doubtless to restrict access to public services and benefits through websites. In pursuit of this end the Coalition proposes that people wishing to access public services should create a unique personal identifier, with either mutual organisations or private companies such as VISA providing “identity assurance” services. The individual would choose their identity assurance provider. Here is the Cabinet Office Minister Francis Maude explaining the Government’s position:

“The UK coalition government plans to introduce the identity assurance model in August 2012. If all goes well, the government plans to come up with a working prototype of the model in October this year.

“Online services have the potential to make life more convenient for service users as well as delivering cost savings. However, currently customers have to enter multiple log-in details and passwords to access different public services, sometimes on the same website,” said Maude, The Register reports.

The scheme has nothing like the ambition of Labour’s ID Card scheme, but it is easy to see how it could grow into a fully fledged identity scheme which would be every bit as intrusive as that proposed by the Labour Government. Personal details will be held on the databases run by the identity assurance suppliers and the universal identifier will allow state departments to readily link the data held on an individual by various government departments and databases. It is also likely that every child will have an identifier from birth because they need to access
services such as the NHS and education.

That would be the immediate authoritarian danger. Move the story along a year or two and we see it being made more and more difficult to gain access to public services without using a website. That will mean a universal identifier becomes ever more necessary. Eventually a future government will announce that as, say, 80% of te people eligible for public services have unique personal identifiers, in a ear or two everyone must have them if they wish to access public services. Once hat is done, not having a unique personal identifier will seem odd at best and suspicious at worst. A government will then make the case that it is essential for everyone to have a unique personal identifier so that terrorism, crime in general and immigration can be tackled. They will then make a unique personal identifier compulsory. At that point we are potentially at the scenario envisaged by the Labour Government; a universal database system contain vast amounts of personal data. All that would be lacking is a physical identity card.

The absence of a physical identity card would not in itself be a great check on an authoritarian government because identification by biometrics such as iris scans or fingerprints could be done by machines – it is not unreasonable to imagine technology advancing enough within the next few years to provide the police with biometric scanners linked to a central database which they can carry with them. But before we get to the stage where the holding of a unique personal identifier is compulsory, identity cards may have been issued because the government thinks (rightly) that a physical object will tie people to the idea more than a system held in cyberspace.

There is also the private and mutual sector dimension. A reliable means of identifying people would be very attractive to private companies and not-for-profit organisations (many of which are effectively sub-contracted state agencies). Once the identity assurance system is up and running, there will doubtless be lobbying for the unique personal identifier is extended to them. The likelihood is that the wish would be eventually granted. This in turn would increase the speed of the take up of the unique personal identifiers as it would become increasing difficult
to exist without one. It is also likely that once possession of a unique personal identifier became the norm, insurers who deal with insuring businesses dealing directly with the public will insist on such companies requiring a unique personal identifier before granting insurance. Alternatively they would up the premium for companies which refuse.

The other risk is that data is lost, stolen or sold illegally. That could have immense personal consequences. The greater the need for a unique personal identifier, the greater the opportunity for amassing information about individuals. Imagine a world in which most or all of these were linked: work record, health record, spending patterns, details of civil law actions, police record (which could simply be an arrest from which no trial or caution resulted) and tax details. Should you have a spouse and children, their records might well end up linked to yours.

The Coalition Government will make promises that none of these things will happen, but we all know how worthless such promises are. Nor can any Government bind its successor because we have no superior constitutional law. All a future government would have to do is introduce new legislation to allow them to do whatever they want.

The time to protest about such possibilities is now, not when the system is up and running. Create the same stink about this as was made about Labour’s ID Card scheme. See it off now because it will never be seen off once the basic system, is in place. A national identity system whether officially compulsory by law or made irresistible by public and private administrative demands becomes a licence to exist in the jurisdiction which insists upon its use.

Below is an article I wrote in 2004 about the proposed Labour system. Its message is still relevant to this new threat to personal freedom.

————————————

Published in the July 2004 issue of The Individual, the journal of the Society for Individual Freedom (www.individualist.org.uk)

The practical problems and implications of biometric identities

Robert Henderson

The libertarian and moral implications of ID cards have generated a great amount of newsprint, but much less attention has been given to what biometric based ID cards will mean in practice or to their practicality. This is a serious deficiency because a biometric-based ID card will be an entirely different animal from any non-biometric-based ID card.

If it is successful, such a system will give a government unprecedented control of the lives of the individual – the ID card would potentially be a licence to legally exist – and if flawed in operation, cause untold disruption and personal misery.

How effective are biometric data as identifiers?

Biometric identifiers are generally presented to the public as foolproof, Big Brother, sci-fi-style technology. The reality is that there is no biometric identifier which is anything like foolproof, nor, as we all know to our daily cost, any computer system which does not regularly crash.

What would be the most likely biometric data to be used? Iris scanning, fingerprinting and facial parameter recognition are the frontrunners, either singly or in combination. Facial parameters are far from foolproof, while fingerprinting, despite what is generally thought, is far from conclusive being decided on points of similarity rather than an absolute individual singularity. One suspects that iris print recognition has similar drawbacks, whatever the “experts” tell us.

Take the expert on biometric testing Professor John Daugman, who is based in Cambridge University. He developed the algorithm for iris recognition. In the Daily Telegraph (12 5 2004) he is reported as saying: “The key point is the relative complexity of the iris, compared to, say, the fingerprint,” explains Professor Daugman, who is based at Cambridge University. “The iris is much more random and much more complex, so it Is much more likely to be truly unique.” Randomness is measured in degrees of freedom. The face has less than 20 degrees of freedom. Fingerprints have 40 degrees of freedom, but the iris has 200 degrees of freedom. “If we wanted the face to be as complex as the iris, we would need to have five mouths and seven noses…”

Prof Daugman goes on to say that “The technology has never yet given a false match and we have made millions of comparisons so far,” then unblushingly admits there have been problem with eye lashes and eye malformations. I think we should translate his remark as “The technology has never given a false reading where we have been able to get a readable iris print.”

The Home Office Commons select committee recently went to a demonstration of iris-scanning. The Daily Telegraph (7 5 2004) reported: “Members of the Commons home affairs select committee who tried out the technology yesterday were told that up to seven per cent of scans could fail.”

I heard a member of the committee, Liberal Democrat Bob Russell, on Radio 5 (6 May) telling of his experiences. His iris test failed because his eyes watered profusely. Russell also said that the test was as intrusive as a visit to the opticians with lights being shone directly into the eye. He found the experience physically unpleasant.

DNA analysis – which would be more certain – is a theoretical possibility, but whether it would be technically possible now or within the foreseeable future to have a system which could analyse DNA samples quickly enough is dubious. The person checking an identity would have to have a means of checking within minutes a DNA sample taken from a suspect and then comparing that with the DNA record in the central database.

As things stand, the most likely biometric identifiers on the card and database will be fingerprints and facial profiling, the latter to act as a decider if the fingerprint test does not produce a positive identification. The reason why facial profiling will be probably be chosen in front of iris recognition is that the International Civil Aviation Authority is pushing for it in machine-readable passports. The problems of damage and biometric impersonation.

A fingerprint could be damaged by scarring or a temporary injury. Ditto an iris print. As for facial parameter recognition, how effective is that going to be as a person ages? Doubtless the “experts” will claim that basic facial parameters – breadth of forehead, distance between eyes and such forth – remain constant enough, but as the system is far from foolproof to begin with – Prof Daugman puts it as the least effective of the three biometrics being considered – can we honestly be sure that ageing may not produce sufficient change through, say, muscle
relaxation or gum shrinkage, to distort the face sufficiently to cause a false non-recognition result?

Biometric impersonation could conceivably occur with people wearing contact lenses to give a false iris print (the experts such as Prof Daugman swear blind this would not fool a scanner because it uses infra red which would show up a flat plate , i.e. the contact lens, over the iris, but you know what experts are like) or having fingerprint “masks” of someone else to wear on their fingers. Further down the line surgical techniques, including genetic surgery, could be used to alter someone’s biometric data.

There is also the question of technological advance generally. We simply cannot envisage what advances may be made which will breach what is now seen as a seemingly secure system.

What of the robustness of the Government’s computer system? Will it break down or even ever get to a stage of development where it can go live? We all know what a mess large government computer projects have been. Why should this, which is even larger and more complicated than those now in existence, be anything other than a mess.

Could biometric cards be successfully forged?

Could biometric cards ever be foolproof in even the narrow sense of being impossible to forge? Could forgeries exist? If biometric data are to be stored on a central database which can be immediately accessed it would be pointless to get a false card if the system would pick up duplicated biometric data. However, someone, for example, a foreigner, whose details have never been on the database, could get a card in a false name using false initial documentation – the initial identification of the person can only be done by good old fashioned methods such as passports and driving licences. There is also, of course, the opportunity for bribery of those operating the system.

If the database programme does not have the facility to check new biometric data against that already on the database, multiple applications for cards under different names could be made.

If there is not immediate verification of the biometric data by reference to the database, forged cards could be used because all the card would do is provide whatever data the forger chooses to put on the card when the card is put into a reader. Moreover, if the card is simply put into a reader and verified with the data held on the database, all that tells you is that the card is in agreement with the database. It does not tell you whether the person who holds the card is the same person. Thus the identities of legitimate cardholders could be copied onto
forged cards. The only certain way of stopping this would be to read the data directly from the cardholder and compare it with data held on the central database.

Another problem would be the possibility of a card forger placing a programme on the card which would surreptitiously override the application to the central database and place data contained on the card in the reader in a form in which looked as though it came from the central database, a trick akin to placing videos in security systems to give the impression that a surveillance system is working when it is not.

The initial identification of those applying for cards

A basic problem of false identification exists at the point where the person’s identity is to be established before the identity card is to be issued. Forged documents will be of the type which are now forged, i.e. without biometric data. Over the generations this might become a smaller problem as children are registered at birth, but for the foreseeable future it will be a major difficulty. The initial registering of the 60 million people in Britain will also be a massive task. Even if new passports and driving licences are going to require biometric data allowing the database to be gradually built up over years, that will still leave millions of people who neither drive nor have passports. The administrative problems of ensuring all those are issued with cards will be immense.

What non-biometric data could be on the database

It would be impractical to include data which will regularly change such as a person’s address or workplace. Yet that is precisely the type of non-biometric data which is most useful in identifying someone. And what will the police do if they pick up a suspect but have to rely on the subject to give them an address?

The administrative problems in the field

These are mind-boggling. Can one imagine the ordinary policeman or immigration officer comfortably or efficiently using complicated machines to read the data either from the cards or directly from the cardholder? Or how about every store or bank requiring one? Think of your average bored teenager serving in a shop and then let your mind boggle at the idea of them taking an iris print. One can all too easily imagine a situation where using the machine is simply not done because the operator cannot be bothered or does not understand the procedure. British passports have been machine readable since 1988. How many are ever machine read? Very few. Equally demanding would be the mammoth task of maintaining literally thousands (potentially tens of thousands) of machine card readers around the country. The likelihood is that many would break down and in such circumstances identity checks would simply be made by a non-id card means.

The potential practical ill effects of a biometric-based ID card

There are potentially massive practical problems which could arise from such a card. What happens if a person’s card is lost or the biometric data used as an identifier is damaged, e.g. by scarring a fingerprint? How would they actually exist if the card is necessary for daily living?

The failure rate for recognition requests would not have to be large to make the security of the card and its practical use as an identifier problematical. With a database of 60 million (the UK population) even a one tenth of one percent failure would mean 60,000 potential failures, each of which could be repeated many times if the card is needed for a wide range of activity which is the Government;s intention. (A Home Office press release states “crucially, the cards will help people live their lives more easily, giving them watertight proof of identity for use
in daily transactions and travel” – (http://www.homeoffice.gov.uk/n_story.asp?item_id=91). Imagine that you are one of the unlucky ones whose biometrics do not identify you positively, being faced over and over again with the need to prove who you are by other means.

There is also the strong possibility that false information will be put into the database. Governments will not be able to resist the temptation of going beyond the mere identification of someone. They will wish to store details of other things such as criminal records, health data and welfare take-up.

When an identity card was introduced in 1939 it had three purposes: to aid the function of rationing, help conscription and improve security and immigration. When a Commons committee examined the experience of the ID in 1950 (when it was still in force) the number of purposes had risen to 39.

One may be certain that something similar will occur if a biometric card is introduced. Indeed, the schedule 1 of the draft Bill currently doing the “consultation” rounds has a long list of information to be included on the ID register. This includes names, date and place of birth, photograph, fingerprint (and other biometric information), residential status, nationality, entitlement to remain in Britain and the exact terms of the right to remain and a National Identity Registration Number. It will also carry a record of any changes made to the Register.

The more information the more uses to which the card will be put. The more powerful computer technology becomes, the greater the ease and range of sharing information.

There is also the possibility that simple error will result in non-biometric data being entered which will make the identity of the person suspect, eg, the wrong middle name. At best that would be extremely inconvenient for the individual. Or suppose your health records have the wrong blood group inputted and you do not know. You have an accident and are taken to hospital unconscious and the wrong blood is used for a transfusion?

More generally, what would happen if the government computer system crashed, either through its own inherent weaknesses or from a malicious hackers attack? How would the world work if everything has become dependent upon the person’s state stored identity? The quick answer is the world would not work.

There is also the question of security. In principle a system could be set up whereby the machine card readers (or readers of biometric data directly from the individual) could have varying levels of access. All readers would identify you as the individual corresponding to the biometric data, but additional information such as health and credit data would be restricted to those with a legitimate reason to know them. For example, you go to hospital and their reader will allow them to see what your health data is but nothing more. You go to get credit from a store and the shop’s reader gives them access only to your credit status.

Fine in principle, but does anyone believe that any of the information on the card would not rapidly become successfully “hacked” by anyone with the necessary IT skills? There is no reason to believe so because every other “secure” system to date has been hacked, even those with the highest security.

ID Cards are not the problem, the database is

Identity cards as such are a red herring. If the system is sophisticated enough to read from a database and check it immediately against biometric data taken directly from a suspect there would be no need for a card because the person would carry his own identification all the time, i.e. his or her biometric data. It is the database which is the problem.

The overt purposes of the proposed card

What effects would an identity card have on welfare abuse, crime, illegal immigration and security? If the card is voluntary or carrying it is optional, it will little if any effect on the last three items, for any person stopped who does not have a card will simply fail to appear with his or her card at a police station within the seven days as proposed in the draft Bill. However, let us assume that the carrying the card becomes obligatory. What then?

In theory, welfare benefits, including NHS treatment, housing and education could be better controlled, but there is the small matter of 400 million odd citizens from other EU countries to consider who have or shortly will have an absolute right to benefits in the UK. To those can be added millions more from around the world from countries such as Australia and Canada who have reciprocal welfare arrangements with the UK? Will they have to apply for a UK card before they get them?

Perhaps, but what of emergency health treatment? Would any government, when shove comes to push, have the will to deny treatment to those without a card? Moreover, what of failed asylum seekers who are not deported because it is deemed that their native countries are too dangerous to return the failed asylum seeker to? Will they be denied treatment even where the illness or injury is serious but not immediately life threatening, for example, if they are HIV-positive?

An ID card is no help in solving crime generally because the police can only arrest or investigate those people whom they have already identified. In theory a card might reduce fraud based on identity misrepresentation, but that assumes private companies will play ball with the Government’s stated intention that cards will be used “in daily transactions and travel”. As they all have their own cards and identification systems which are getting ever more sophisticated, it is extremely dubious that they will willingly add another layer of expensive security to their own.

As for illegal immigration, a government could make it impossible for a person to work legally in Britain unless they have a card. However, to enforce that would require an immense bureaucracy and a willingness to harass both employers and the general public severely. Employers would have to be regularly prosecuted and subject to stiff penalties for employing illegal labour, while the general public would find that they were essentially slaves requiring the permission of the state to gain employment. In fact, if a card was made necessary for not only employment but welfare and transactions such as opening a bank account or using a credit card, the individual would effectively require the permission of the state to live. Ultimately, the state could control people simply by discontinuing money in the form of notes and coins and making people use cards for all purchases.

As an anti-terrorist measure it would be pretty meaningless because any visitor to this country will not have to have an identity card. As tens of millions of visits are made each year, any terrorist could operate without ever being asked to prove his identity by any means other than would now be employed. As for any home grown terrorist, they will be able to get a valid card and until identified as a terrorist, by which time identity is established, they will be able to use it to move freely in the UK. It is also true that once human beings become reliant on machine checks they tend to treat them as holy writ and become much less generally observant and suspicious.

What if the proposed UK system proves inoperable?

The proposed UK card will not begin to be implemented if at all until 2007 and, even by the Government’s estimates, it will take many years to establish universal coverage of the UK population. But even if the card is never fully implemented by further legislation the government will have a database with the biometric details of most of the population in a few years through their inclusion on passports and driving licences. This will be shared by government departments and other public agencies. It will be subject to hacking and the corrupt release of
information by those working within the system. If such a system is implemented I predict that all those who are pro-ID card will be converted to the anti-card camp the first time they are stopped by the police and asked for it, or the first time their biometrics are checked and show a false negative, or the first time the database crashes and makes transactions impossible because identity cannot be verified, or the first time that they lose their card and find their lives in limbo.

Those who are against ID cards on principle will need no urging to oppose them. But even those who are in principle supportive of the idea of an ID card – and regrettably polls consistently show 70-80% of Britons in favour – may still rationally reject the idea of this card because of the sheer impracticality of the proposed system and its palpable failure to meet the objectives which persuaded them to become supporters.